A bug leaves 1.4 billion Android users with security risk

Hexamob | Alberto Mulas08/16/2016

There is a new discovery made by the Lookout Security Team in today’s day and that affects a very large slice of all Android users in the world. It is a bug related to kernel linux 3.6 and which is also present in Android from version 4.4 KitKat and later (yes, even in the beta Android Nougat).

This bug would affect so about 80% of all Android users (1.8 billion devices according Statesman) and most probably you who read us. This is the CVE-2016-5696 bug that allows an attacker to sneak in a non-encrypted connection and to execute malicious code. This would be a solution to protect yourself from this bug in a drastic way: use a VPN or connect only to services and sites that use encrypted connections.

Once you intercepted an unencrypted connection with any service on the internet you can for example run a fake pop-up that requires a new access to a generic service (email, social, paypal, etc.). The same could also be done within the browser or through a mail client. If the connection is encrypted, the attacker can still terminate the connection. Google responded to a request for comments by clarifying that the bug is not just Android (and Linux in general) and that engineers are working to fix it, but that the issue does not have top priority.

This choice is probably due to the fact that it is difficult that the bug can be exploited on a large scale. In fact, it takes about 10 seconds to test if two clients are connected and other about 45 seconds to send the malicious code in the original traffic. Whereas, therefore, you must know (or predict) the existence of a certain connection and the time required to run it, it is an attack that only users with the most “sensitive profiles” (politics, government, military, etc.) are in danger so concretely.

Whereas there are smartphones that do not receive support of any kind for years, there are some reservations about solutions to specific users, and we remember that those who want to steal our data has much free time. So have an eye then when checking sites or suspicious messages to a fix in a future patch monthly released by Google (shame that 90% of the 80% of targeted devices will never be updated).